|Aegis: Security Policy in Depth|
|The Business of Knowing: Private Market Data and Contemporary Intelligence|
|Tue, 30 Nov 2021 15:24:07 -0500|
Many U.S. federal agencies are purchasing private market data (PMD). Some will assume these practices illustrate a federal government run amok, intent on trampling Americans’ constitutionally-protected rights under the guise of “national security.” Others will view cries of “tyranny!” and warnings about the “deep state” as nothing more than naivete about the realities of a dangerous world or fearmongering for political advantage. But the issue is more complicated and there is another side of the story. Government access to PMD does implicate liberty concerns, but it also implicates security issues that require serious consideration if this constitutionally-induced tension is to be properly balanced. This paper argues that U.S. government access to at least some private market data—and the limiting of foreign access to this same information—is essential for national security. It also argues, however, for a refined awareness that acknowledges the privacy we have already lost and that implements greater government oversight and accountability. It must also be said that this paper provokes more questions than it answers. It does not exhaustively assess or explain many of the relevant facts, trends, issues, and implications cited. The aim here is to abstract from nuance and detail to explain how our nation has come to this place, and to emphasize the security implications of our chosen path forward.
|Buying Data and the Fourth Amendment|
|Wed, 17 Nov 2021 15:04:19 -0500|
Can governments purchase user records as an end-run around the warrant requirement imposed by Carpenter v. United States£ As a matter of Fourth Amendment law, the answer is “yes.” Companies have common authority over their business records. Common authority allows companies to consent to a government search of their databases even when their users oppose it. A voluntary sale manifests consent, permitting the government to buy access to Carpenter-protected records without a warrant or cause. Arguments exist for why a different rule may be justified someday. But for now, and for the foreseeable future, Fourth Amendment law permits buying business records even if users have rights in those records.
You can read the paper here and below:
|A Gig Surveillance Economy|
|Wed, 10 Nov 2021 10:15:33 -0500|
This essay describes gig surveillance work, what potential legal and policy questions it raises and what it means for further entrenchment of private information market reliance by the government. This essay defines gig surveillance work as short-term, freelance, temporary surveillance that generates data later sold for profit. In the aggregate, this gig surveillance economy a) mimics the temporary, platform-mediated work we see in rideshares and food and package delivery; b) involves information collection with cheap and networked tools; and c) requires no specialized skills. Every element necessary for gig surveillance work already exists, and conditions are ripe for its flourishing. The production of surveillance data is already a by-product of conventional gig work. What we can expect is the further development of gig work for the sake of surveillance itself.
|Facial Recognition as a Less-Bad Option|
|Thu, 04 Nov 2021 15:30:21 -0400|
This essay defends the police use of facial recognition technology to identify suspects in crime footage or to locate individuals with outstanding warrants. I will argue that the perils that flow from facial recognition can be mitigated through sensible limits without banning the technology, and that in any case, the risks of facial recognition are less bad than the options police have without its use. In other words, acknowledging the potential costs of police use of facial recognition, I make the case that such use is still warranted. My argument goes as follows: (1) to the extent criminal justice reformers have political capital to spend, it should be spent dramatically reducing criminal liability and sentences for all crimes while increasing the probability that criminal conduct will be detected; and (2) facial recognition is a valuable tool for increasing the probability of detection because it reduces the discretion that police officers have as compared to other forms of surveillance. Holding everything else constant, it is more efficient and more fair for police to run a photograph through facial recognition software to identify candidate suspects than to try to identify the suspect using witnesses or to solve the case without using the image.
|Understanding Police Reliance on Private Data|
|Fri, 08 Oct 2021 09:03:30 -0400|
Although law enforcement investigations have always depended on information from private actors, modern technology and big data have transformed an analog collection process into an automated, digital one. This shift has elevated the role that private entities play in the investigative process, mirroring the growth of private influence across the entire criminal system. Many of these private influences have been fiercely criticized. Although there is merit to these concerns, blanket opposition to any role for private actors in the criminal system is not a sound policymaking approach. The challenge, then, is for policymakers is to distinguish beneficial private influences from harmful ones. In this paper, I suggest that in order to realize the benefits and guard against the harms of private influence, regulators should focus on private entities that have close relationships with law enforcement. These entities are least likely to push back against law enforcement and instead are more likely to become a private extension of law enforcement. Requiring these entities to register and to provide insight into their collection practices is an important step toward a more effective regulatory structure.
|Private Data/Public Regulation|
|Mon, 04 Oct 2021 09:20:49 -0400|
Policing increasingly relies on the collection of digital data, often of people for whom there is no basis for suspicion. Police seek fewer search warrants and more requests to harvest metadata, they buy data from brokers, they track location and other aspects of our lives. Sometimes police collect the data themselves. More often they gather it from third parties. They do so by purchase, and by court order. The benefits of this approach are uncertain, but placing this much personal data in the hands of the government has its costs. It endangers our personal security, and our sense of privacy. It threatens racial equity, and our right to associate, including for political activity. It puts enormous power in the government to control behavior. This article makes the novel argument that, as a matter of constitutional law, policing agencies cannot collect digital data, particularly about individuals for whom there is no suspicion of wrongdoing, without a sufficient regulatory scheme in place. This includes a justification for collection that can be shown to further public safety, and sufficient safeguards to protect individual interests. if these practices are to continue, legislative authorization and regulation is requisite.
|Modern Day General Warrants and the Challenge of Protecting Third-Party Privacy Rights in Mass, Suspicionless Searches of Consumer Databases|
|Tue, 28 Sep 2021 08:51:43 -0400|
Today, more than ever, law enforcement has access to massive amounts of consumer data that allow police to, essentially, pluck a suspect out of thin air. Internet service providers and third parties collect and aggregate precise location data generated by our devices and their apps, making it possible for law enforcement to easily determine everyone who was in a given area during a given time period. Similarly, search engines compile and store our internet searches in a way that allows law enforcement to learn everyone who searched for specific keywords like an address or the word “bomb.” And DNA is now amassed in consumer genetic genealogy databases that make it possible for law enforcement to identify almost any unknown person from their DNA, even if the unknown person never chose to add their own DNA to the database. Modern law enforcement officials very frequently conduct “suspicionless searches”—searches that are not based on individualized suspicion—on these computer databases. This article describes the problem of suspicionless searches of consumer databases, explains the threat these searches pose to privacy interests, argues that the legal arguments put forth by law enforcement in defense of these practices are flawed and suggests what should be done about the problem, both in courts and in the legislature.
|Adapting to the Cyber Domain: Comparing U.S. and U.K. Institutional, Legal and Policy Innovations|
|Tue, 25 May 2021 10:26:46 -0400|
Prime Minister Boris Johnson made it official in a statement to Parliament on Nov. 19, 2020. “I can announce that we have established a National Cyber Force, combining our intelligence agencies and service personnel,” he proclaimed, adding that it “is already operating in cyberspace against terrorism, organised crime and hostile state activity.”
Public avowal of the National Cyber Force (NCF) came as no great surprise. Plans to take this institutional step had been discussed publicly before, after all. Nonetheless, it was a significant moment in the ongoing process of tailoring U.K. institutions, policies and legal frameworks to suit the evolving nature and scale of cyber domain threats and opportunities. The NCF embodies certain distinctive characteristics of the British system, including flexibility regarding institutional roles in general and the role of intelligence agencies in particular. Much the same can be said, moreover, for another recent British organizational innovation: creation of the National Cybersecurity Centre (NCSC).
The American experience throughout this same period has been analogous in many respects—including the creation of new organizations with defensive and offensive missions—yet it is by no means identical. As we shall see, institutional formalism is far more conspicuous in the American system, and so too are anxieties about the roles of intelligence agencies. Whether these are bugs or features is, perhaps, in the eye of the beholder. The comparison between the U.K. and U.S. models, at any rate, is instructive.
|'Defend Forward' and Sovereignty|
|Fri, 30 Apr 2021 11:26:52 -0400|
Among the most discussed provisions of the Tallinn Manual 2.0 is Rule 4: “Violation of sovereignty.” Rule 4 provides: “A State must not conduct cyber operations that violate the sovereignty of another State.” Considered alone, Rule 4 is banal and unobjectionable, since there are many established sovereignty-based international-law rules that cyber operations might violate. For example, the UN Charter’s prohibition on certain uses of force and the customary international-law rule of nonintervention constrains cyber operations by one state in another. The hard question is whether international law related to sovereignty prohibits anything more. Here the commentary to Rule 4 is quite ambitious. It argues that a stand-alone customary international-law concept of state sovereignty operates to regulate and render illegal certain cyber operations that would not otherwise be illegal under any of the specific and acknowledged sovereignty-based rules of international law. This paper argues that the discrete rules articulated in the Rule 4 commentary do not reflect customary international law. The Rule 4 commentary cites very little legal authority in support of its bold conclusions and lacks any practical connection to the complex interplay of extensive state practice and opinio juris that constitutes customary international law.
|Cyberattack Attribution as Empowerment and Constraint|
|Fri, 15 Jan 2021 10:15:34 -0500|
When a state seeks to defend itself against a cyberattack, must it first identify the perpetrator responsible£ The US policy of “defend forward” and “persistent engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law.
International law addresses in part the question of when attribution is required. The international law on state responsibility permits a state that has suffered an internationally wrongful act to take countermeasures, but only against the state responsible. This limitation implies that attribution is a necessary prerequisite to countermeasures. But international law is silent about whether attribution is required for lesser responses, which may be more common. Moreover, even if states agree that attribution is required in order to take countermeasures, ongoing disagreements about whether certain actions, especially violations of sovereignty, count as internationally wrongful acts are likely to spark disputes about when states must attribute cyberattacks in order to respond lawfully.
Under domestic US law, attributing a cyberattack to a particular state bolsters the authority of the executive branch to take action. Congress has authorized the executive to respond to attacks from particular countries and nonstate actors in both recent cyber-specific statutory provisions and the long-standing Authorizations for Use of Military Force (AUMFs) related to 9/11 and the Iraq War. Attribution to one of these congressionally designated sources of attack ensures that the executive branch need not rely solely on the president’s independent constitutional authority as commander in chief when responding, but instead can act with the combined authority of Congress and the president.
Common across international and US law is the fact that cyberattack attribution serves as both a potential source of empowerment and a potential constraint on governmental action. In both systems, attribution of a cyberattack to another state bolsters the US executive branch’s authority to respond, and conversely, the absence of attribution can place the executive on less certain legal footing.
This essay proceeds in three parts. It first explains cyberattack attribution and attribution’s interaction with existing international law on the use of force and state responsibility. The next section turns to the US “defend forward” policy and explores how it may spur disagreements about when states must attribute cyberattacks, even if they agree on the general legal framework set out in the first part. The essay then briefly addresses US domestic law and explains how congressional authorizations for certain military actions depend on attribution. The conclusion discusses how attribution can shape, not just be shaped by, the international and domestic legal systems.